Page 1 of 1

Reset Password System Rate Topic: -----

#1 RamonRobben  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 19
  • View blog
  • Posts: 124
  • Joined: 19-May 14

Posted 20 February 2015 - 07:57 AM

Welcome on my first tutorial on this form.
this tutorial is an improved version of the tutorial: Password Reset System Without Using A Database by Master Jake

So before we begin you need the following things:
1. The PHP email() function must be enabled.
2. You need a database with the email and password of the user because else they cannot reset their password.

Lets Start with the Forms.

this is the forgot_password.php form
<form action="change.php" method="POST">
E-mail Address: <input type="text" name="email" size="20" /> <input type="submit" name="ForgotPassword" value=" Request Reset " />
</form>


this is the reset_password.php form.
<?php echo '
<form action="reset.php" method="POST">
E-mail Address: <input type="text" name="email" size="20" /><br />
New Password: <input type="password" name="password" size="20" /><br />
Confirm Password: <input type="password" name="confirmpassword" size="20" /><br />
<input type="hidden" name="q" value="';
if (isset($_GET["q"])) {
	echo $_GET["q"];
}
	echo '" /><input type="submit" name="ResetPasswordForm" value=" Reset Password " />
</form>';

?>



okay so now we have 2 forms.
the forms are basics html the only differents between the first form and the second form is that the second form echo`s the html
and in the second form you have the code:
if (isset($_GET["q"])) {
	echo $_GET["q"];
}


this code checks if the variable $_POST["q"] is set and if it is then it echo`s the q variable in the valuebox of the hidden input.
so we can later get that q in another form.

So now the PHP code!

Change.php
The full code:

<?php
// Connect to MySQL
    $username = "username"; 
    $password = "password"; 
    $host = "localhost"; 
    $dbname = "databasename"; 
try {
$conn = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password);
}
catch(PDOException $ex) 
    { 
        $msg = "Failed to connect to the database"; 
    } 

// Was the form submitted?
if (isset($_POST["ForgotPassword"])) {
	
	// Harvest submitted e-mail address
	if (filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
		$email = $_POST["email"];
		
	}else{
		echo "email is not valid";
		exit;
	}

	// Check to see if a user exists with this e-mail
	$query = $conn->prepare('SELECT email FROM users WHERE email = :email');
	$query->bindParam(':email', $email);
	$query->execute();
	$userExists = $query->fetch(PDO::FETCH_ASSOC);
	$conn = null;
	
	if ($userExists["email"])
	{
		// Create a unique salt. This will never leave PHP unencrypted.
		$salt = "498#2D83B631%3800EBD!801600D*7E3CC13";

		// Create the unique user password reset key
		$password = hash('sha512', $salt.$userExists["email"]);

		// Create a url which we will direct them to reset their password
		$pwrurl = "www.yoursitehere.com/reset_password.php?q=".$password;
		
		// Mail them their key
		$mailbody = "Dear user,\n\nIf this e-mail does not apply to you please ignore it. It appears that you have requested a password reset at our website www.yoursitehere.com\n\nTo reset your password, please click the link below. If you cannot click it, please paste it into your web browser's address bar.\n\n" . $pwrurl . "\n\nThanks,\nThe Administration";
		mail($userExists["email"], "www.yoursitehere.com - Password Reset", $mailbody);
		echo "Your password recovery key has been sent to your e-mail address.";
		
	}
	else
		echo "No user with that e-mail address exists.";
}
?>



So now some explanation:

with this code we are setting the variables so they can be used to make a connection with the Database.
we are using try before we make the connection because then we can see if something goes wrong.
if we made a successful connection with the database then no errors will come up.
but if we fail to make a connection with the database then the variable $msg will be set to an error message wich we can echo out if we needed to.
// Connect to MySQL
    $username = "username"; 
    $password = "password"; 
    $host = "localhost"; 
    $dbname = "databasename"; 
try {
$conn = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password);
}
catch(PDOException $ex) 
    { 
        $msg = "Failed to connect to the database"; 
    } 



So this code checks if the form was entered or if the user just visited the page accidently
if this code is true then it will run, if it is false then it will not run the code.
if (isset($_POST["ForgotPassword"])) {


So the next code will check if the email address is valid.
if the email address is valid then it will continue running the code.
and if the email is not valid then we will stop the code and show the message: Email is not valid
	if (filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
		$email = $_POST["email"];
		
	}else{
		echo "email is not valid";
		exit;
	}



This code will check if the email is in the database and set $userExists to the results becuase if we cant find any results the
$userExist['email'] is empty and we cant reset a password from a person that doesnt exsist in our database
and if the email is in the database then it will continue running the code and the database connection will be closed since we dont need it anymore.

also we are binding the parameters to the variables . This helps agains sql injections.
// Check to see if a user exists with this e-mail
	$query = $conn->prepare('SELECT email FROM users WHERE email = :email');
	$query->bindParam(':email', $email);
	$query->execute();
	$userExists = $query->fetch(PDO::FETCH_ASSOC);
	$conn = null;
	
	if ($userExists["email"])



This code will set the password to a hashed value of the mail so it will generate a resetcode by using the hash and the email.
after that we are setting a variable pwrurl to the link where we can change the password from.
after that we show a message that the mail have been send and we mail the information to the user so he can reset his password
$salt = "498#2D83B631%3800EBD!801600D*7E3CC13";

		// Create the unique user password reset key
		$password = hash('sha512', $salt.$userExists["email"]);

		// Create a url which we will direct them to reset their password
		$pwrurl = "www.yoursitehere.com/reset_password.php?q=".$password;
		
		// Mail them their key
		$mailbody = "Dear user,\n\nIf this e-mail does not apply to you please ignore it. It appears that you have requested a password reset at our website www.yoursitehere.com\n\nTo reset your password, please click the link below. If you cannot click it, please paste it into your web browser's address bar.\n\n" . $pwrurl . "\n\nThanks,\nThe Administration";
		mail($userExists["email"], "www.yoursitehere.com - Password Reset", $mailbody);
		echo "Your password recovery key has been sent to your e-mail address.";
		
	}
	else
		echo "No user with that e-mail address exists.";


we are using a sha512 since we dont want that anyone can reset someones password by just going to the page without code and change the password. The Reset code will help to protect us against that.

Reset.php
the full code:

<?php

// Connect to MySQL
    $username = "username"; 
    $password = "password"; 
    $host = "localhost"; 
    $dbname = "databasename"; 
try {
$conn = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password);
//$conn = new PDO('mysql:host=localhost;dbname=test', 'root', '');
}
catch(PDOException $ex) 
    { 
        $msg = "Failed to connect to the database"; 
    } 
    
// Was the form submitted?
if (isset($_POST["ResetPasswordForm"]))
{
	// Gather the post data
	$email = $_POST["email"];
	$password = $_POST["password"];
	$confirmpassword = $_POST["confirmpassword"];
	$hash = $_POST["q"];

	// Use the same salt from the forgot_password.php file
	$salt = "498#2D83B631%3800EBD!801600D*7E3CC13";

	// Generate the reset key
	$resetkey = hash('sha512', $salt.$email);

	// Does the new reset key match the old one?
	if ($resetkey == $hash)
	{
		if ($password == $confirmpassword)
		{
			//has and secure the password
			$password = hash('sha512', $salt.$password);

			// Update the user's password
				$query = $conn->prepare('UPDATE users SET password = :password WHERE email = :email');
				$query->bindParam(':password', $password);
				$query->bindParam(':email', $email);
				$query->execute();
				$conn = null;
			echo "Your password has been successfully reset.";
		}
		else
			echo "Your password's do not match.";
	}
	else
		echo "Your password reset key is invalid.";
}

?>



And now some explanation:

we now know what this code does. and if you dont just read the explanation of Change.php
// Connect to MySQL
    $username = "username"; 
    $password = "password"; 
    $host = "localhost"; 
    $dbname = "databasename"; 
try {
$conn = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password);
//$conn = new PDO('mysql:host=localhost;dbname=test', 'root', '');
}
catch(PDOException $ex) 
    { 
        $msg = "Failed to connect to the database"; 
    } 



So now we are checking if the form was entered and filled in by trying to check if the variable is set.
if it is the code will run and else the code will stop running. if the isset returns a true then we will set our variables to the posted values so
we can use them later in the script.
if (isset($_POST["ResetPasswordForm"]))
{
	// Gather the post data
	$email = $_POST["email"];
	$password = $_POST["password"];
	$confirmpassword = $_POST["confirmpassword"];
	$hash = $_POST["q"];



so here we are trying to regenerate the code so we can check if the code that the user is using is a valid code.
we are doing that by regenerating the key by using the same method as in the Change.php form.
after that it checks if the key is valid and if it is then the code will continue running and if the code is not valid then we will show a error message saying
that the code is not valid.
	$salt = "498#2D83B631%3800EBD!801600D*7E3CC13";

	// Generate the reset key
	$resetkey = hash('sha512', $salt.$email);

	// Does the new reset key match the old one?
	if ($resetkey == $hash)



so here we are checking if the passwords match and if they do then we will secure the passwords by encrypting them.
after that we will run a query so the password of the user gets updated to the new password then the connection will be closed since we dont need it anymore and
we will show the user that the password is changed correctly.
if the passwords dont match or if the reset key is not valid then we will show the error messages of that to the user.

also we are binding the parameters to the variables because this helps agains sql injections.
if ($password == $confirmpassword)
		{
			//has and secure the password
			$password = hash('sha512', $salt.$password);

			// Update the user's password
				$query = $conn->prepare('UPDATE users SET password = :password WHERE email = :email');
				$query->bindParam(':password', $password);
				$query->bindParam(':email', $email);
				$query->execute();
				$conn = null;
			echo "Your password has been successfully reset.";
		}
		else
			echo "Your password's do not match.";
	}
	else
		echo "Your password reset key is invalid.";
}



Yea you now have made your own Password Reset System. Now you only have to make it pretty with some html and css and put it on your website.

Thank you all for reading my tutorial. I hope you liked my tutorial.
and if you have any questions feel free to ask them


if the connection doesnt work or throw errors on you try this:

// Connect to MySQL
    $username = "username";
    $password = "password";
    $host = "localhost";
    $dbname = "databasename";
try {
$conn = new PDO("mysql:host=".$dbhost.";dbname=".$dbname.";charset=utf8", $username, $password);
}
catch(PDOException $ex)
    {
        $msg = "Failed to connect to the database";
    }

\

EDIT IMPORTANT!!
i will update this tutorial ASAP to work perfectly fine with my other tutorials and scripts as well!

This post has been edited by RamonRobben: 24 February 2015 - 08:06 AM


Is This A Good Question/Topic? 1
  • +

Replies To: Reset Password System

#2 Christopher.Burkhouse  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 20
  • Joined: 03-March 15

Posted 04 March 2015 - 10:42 PM

My only concern is, if I'm reading this correctly, it seems like the password reset URL/code is always the same and never expires. Essentially if I go onto a friend's laptop and rip the URL from their history, I could reset their password for them (deviously of course) at a much later time. Of course there are so many ways to give them their code! From temp one-time passwords, temp one-time reset codes (my favorite), and so on, this is an interesting way about it.

-Chris
Was This Post Helpful? 0
  • +
  • -

#3 RamonRobben  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 19
  • View blog
  • Posts: 124
  • Joined: 19-May 14

Posted 05 March 2015 - 09:15 AM

View PostChristopher.Burkhouse, on 04 March 2015 - 10:42 PM, said:

My only concern is, if I'm reading this correctly, it seems like the password reset URL/code is always the same and never expires. Essentially if I go onto a friend's laptop and rip the URL from their history, I could reset their password for them (deviously of course) at a much later time. Of course there are so many ways to give them their code! From temp one-time passwords, temp one-time reset codes (my favorite), and so on, this is an interesting way about it.

-Chris


this is just how the system works, if you want you could add some features in it like what you said because this isnt a Advanced Secured Reset Password System :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1